mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-01-26 23:23:33 +00:00
Bug 1668071: Use Principal URI instead of document URI when doing CSP frame-ancestors checks so origins which inherit the security context work correctly. r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D93214
This commit is contained in:
parent
954aff6f9e
commit
2798413619
@ -1550,7 +1550,7 @@ nsCSPContext::PermitsAncestry(nsILoadInfo* aLoadInfo,
|
||||
nsCOMPtr<nsIURI> uriClone;
|
||||
|
||||
while (ctx) {
|
||||
nsCOMPtr<nsIURI> currentURI;
|
||||
nsCOMPtr<nsIPrincipal> currentPrincipal;
|
||||
// Generally permitsAncestry is consulted from within the
|
||||
// DocumentLoadListener in the parent process. For loads of type object
|
||||
// and embed it's called from the Document in the content process.
|
||||
@ -1559,28 +1559,37 @@ nsCSPContext::PermitsAncestry(nsILoadInfo* aLoadInfo,
|
||||
if (XRE_IsParentProcess()) {
|
||||
WindowGlobalParent* window = ctx->Canonical()->GetCurrentWindowGlobal();
|
||||
if (window) {
|
||||
currentURI = window->GetDocumentURI();
|
||||
// Using the URI of the Principal and not the document because e.g.
|
||||
// about:blank inherits the principal and hence the URI of the
|
||||
// document does not reflect the security context of the document.
|
||||
currentPrincipal = window->DocumentPrincipal();
|
||||
}
|
||||
} else if (nsPIDOMWindowOuter* windowOuter = ctx->GetDOMWindow()) {
|
||||
currentURI = windowOuter->GetDocumentURI();
|
||||
currentPrincipal = nsGlobalWindowOuter::Cast(windowOuter)->GetPrincipal();
|
||||
}
|
||||
|
||||
if (currentURI) {
|
||||
nsAutoCString spec;
|
||||
currentURI->GetSpec(spec);
|
||||
// delete the userpass from the URI.
|
||||
rv = NS_MutateURI(currentURI)
|
||||
.SetRef(""_ns)
|
||||
.SetUserPass(""_ns)
|
||||
.Finalize(uriClone);
|
||||
if (currentPrincipal) {
|
||||
nsCOMPtr<nsIURI> currentURI;
|
||||
auto* currentBasePrincipal = BasePrincipal::Cast(currentPrincipal);
|
||||
currentBasePrincipal->GetURI(getter_AddRefs(currentURI));
|
||||
|
||||
// If setUserPass fails for some reason, just return a clone of the
|
||||
// current URI
|
||||
if (NS_FAILED(rv)) {
|
||||
rv = NS_GetURIWithoutRef(currentURI, getter_AddRefs(uriClone));
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
if (currentURI) {
|
||||
nsAutoCString spec;
|
||||
currentURI->GetSpec(spec);
|
||||
// delete the userpass from the URI.
|
||||
rv = NS_MutateURI(currentURI)
|
||||
.SetRef(""_ns)
|
||||
.SetUserPass(""_ns)
|
||||
.Finalize(uriClone);
|
||||
|
||||
// If setUserPass fails for some reason, just return a clone of the
|
||||
// current URI
|
||||
if (NS_FAILED(rv)) {
|
||||
rv = NS_GetURIWithoutRef(currentURI, getter_AddRefs(uriClone));
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
}
|
||||
ancestorsArray.AppendElement(uriClone);
|
||||
}
|
||||
ancestorsArray.AppendElement(uriClone);
|
||||
}
|
||||
ctx = ctx->GetParent();
|
||||
}
|
||||
|
@ -0,0 +1,9 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Helper file for Bug 1668071 - CSP frame-ancestors in about:blank</title>
|
||||
</head>
|
||||
<body>
|
||||
CSP frame-ancestors in about:blank
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1,2 @@
|
||||
Cache-Control: no-cache
|
||||
Content-Security-Policy: frame-ancestors http://mochi.test:8888
|
@ -433,3 +433,7 @@ support-files =
|
||||
file_upgrade_insecure_navigation_redirect_same_origin.html
|
||||
file_upgrade_insecure_navigation_redirect_cross_origin.html
|
||||
[test_csp_style_src_empty_hash.html]
|
||||
[test_csp_frame_ancestors_about_blank.html]
|
||||
support-files =
|
||||
file_csp_frame_ancestors_about_blank.html
|
||||
file_csp_frame_ancestors_about_blank.html^headers^
|
||||
|
@ -0,0 +1,59 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Bug 1668071 - CSP frame-ancestors in about:blank</title>
|
||||
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
/* Description of the test:
|
||||
* We dynamically load an about:blank iframe which then loads a testframe
|
||||
* including a CSP frame-ancestors directive which matches the including
|
||||
* security context. We make sure that we not incorrectly block on
|
||||
* about:blank which should inherit the security context.
|
||||
*/
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
let aboutBlankFrame = document.createElement("iframe");
|
||||
document.body.appendChild(aboutBlankFrame);
|
||||
|
||||
aboutBlankFrame.onload = function() {
|
||||
ok(true, "aboutBlankFrame onload should fire");
|
||||
let aboutBlankDoc = aboutBlankFrame.contentDocument;
|
||||
is(aboutBlankDoc.documentURI, "about:blank",
|
||||
"sanity: aboutBlankFrame URI should be about:blank");
|
||||
|
||||
let testframe = aboutBlankDoc.createElement("iframe");
|
||||
aboutBlankDoc.body.appendChild(testframe);
|
||||
testframe.onload = function() {
|
||||
ok(true, "testframe onload should fire");
|
||||
let testDoc = SpecialPowers.wrap(testframe.contentDocument);
|
||||
ok(testDoc.documentURI.endsWith("file_csp_frame_ancestors_about_blank.html"),
|
||||
"sanity: document in testframe should be the testfile");
|
||||
|
||||
let cspJSON = testDoc.cspJSON;
|
||||
ok(cspJSON.includes("frame-ancestors"), "found frame-ancestors directive");
|
||||
ok(cspJSON.includes("http://mochi.test:8888"), "found frame-ancestors value");
|
||||
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
testframe.onerror = function() {
|
||||
ok(false, "testframe onerror should not fire");
|
||||
}
|
||||
testframe.src = "file_csp_frame_ancestors_about_blank.html";
|
||||
}
|
||||
|
||||
aboutBlankFrame.onerror = function() {
|
||||
ok(false, "aboutBlankFrame onerror should not be called");
|
||||
}
|
||||
aboutBlankFrame.src = "about:blank";
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Loading…
x
Reference in New Issue
Block a user